How to Use Access Control Lists to Control File Permissions on Linux

Access Control List Linux Featured

A very useful feature in Linux is the “Access Control Lists” which controls access to files and directories. Here is how the access control lists work to control the file permissions in Linux.

Note: To thoroughly grasp how access control lists work, we’re first setting up some users and groups on a working Linux system. The following exercise is carried out on a virtual machine running Kali operating system. The root user has the power to add new users to the system and allot them to groups.

Creating users and groups

Firstly, we will log in as root, create users and put them in respective groups as shown in the table below. The users have been given simple names to help comprehend the concept better.

User Group
john1
john2
john3
johns
jane1
jane2
janes

We will use the adduser command to add new users to the system.

linux file Acl 1

The id command will display the details of the newly created user. It will show the user id (uid), group id (gid) and group name (groups). The user, upon creation, is automatically added to a group with the same name as the user name. That user would be the sole member of the group.

linux file Acl 2

Likewise, users “john2” and “john3” are also created.

Once the three users have been created, use theid command to view the respective user and group ids.

Acl 5

We can see that the three users are in their own groups – 1000, 1001 and 1002. According to the table shown earlier, we want the three users to be in the same group: johns. Since such a group does not exist on the system currently, we will create it with the groupadd command:

Acl 7

The new group ID is specified as 5000. If the -g switch is ignored, then the system will automatically pick a group ID. The name of the new group is “johns.” Now the three users – “john1,” “john2” and “john3” – need to be added as members of this group. We will use the usermod command for this task.

usermod adds the user “user_name” to the group “group_name.” The following figure first displays the uid and gid for “john1” before group change. After the usermod command runs successfully, “john1” is added to the “johns” group with gid 5000.

Acl 8

The same process is done for users “john2” and “john3.”

Finally, details of the three users in the “johns” group can be viewed using id command.

Acl 10

We have successfully created three users and added them to the same group.

Similarly, users “jane1” and “jane2” are created and added to the “janes” group with gid 6000. Their details can be viewed using the id command as shown below.

Acl 16

What is the need for Access Control Lists?

Let’s assume user “john1” logs in,

Acl 18

creates a new file in the Home directory,

Acl 19

and adds some content to it.

Acl 20

Using thels command, we view the file’s metadata.

Acl 22

The first few characters in the output, - rw - r - - r - - account for the permission string. Let us dissect it.

rw – r – – r – –
file type permissions john1 has on the file permissions members of johns group have on the file permissions given to others not in johns group

This article is a good primer on file permissions.

What if “john1,” being the file owner, wants to additionally give write permissions only to “john2” and “jane1” but persist with read permissions for “john3” and “jane2?”

rw – r – –
john1
john2
jane1
john3
jane2

One option would be to create a new group with read, write permissions for “john1,” “john2” and “jane1” and another group with only read permissions for “john3” and “jane2.” In case john1 wishes to modify permissions further for any group member, then more groups need to be created. Creating and managing multiple groups is a burden to the system administrator.

Instead, an “Access Control List” can be created for a file which would clearly state the operations any user can perform on that file.

How to Create an Access Control List (ACL) for a file?

Every file upon creation has an ACL assigned to it. Using it efficiently is simply a matter of modifying it. Only the file owner and root user can modify the ACL of a file.

We can use the getfacl command to view the existing ACL:

Acl 31

The lines starting with # are comment lines. The actual information is in the last three lines of output, which is similar to the permission string obtained earlier. The “user” line refers to the permissions assigned to the file owner “john1.” The “group” line refers to the permissions assigned to other members in the “johns” group. As you guessed it, the “other” line refers to anyone else outside the group.

Let us use the setfaclcommand to modify the existing ACL on the file.

entity name permissions
the value here signifies who the ACL entry is for:

user (u) or group(g) or others(o)

the name of the user or group, for whom the ACL entry is relevant the read,write,execute permissions are denoted by the letters r,w,x

“john2” is first given read, write access to the file,

Acl 32

followed by “jane1.”

Acl 34

Let us view the updated ACL for “secretfile.”

Acl 35

We can see that read and write permissions have been assigned to “john2” and “jane1.”

Verifying the authenticity of the ACL

We can see that “john2” is able to read the file and write to it.

Acl 36

The new information entered by “john2” has been appended to the file.

Acl 37

Likewise, “jane1” gets the same privilege – read access and write access.

Acl 41

But “john3” in the same group is unable to write to the file.

Acl 40

“jane2,” who belongs to the other category, is also unable to write to the file.

Acl 45

Conclusion

The same process can be extended to directories, too. Access Control Lists enable a system administrator to handle file and directory access in an adept manner.

5 comments

  1. I have never used this before or had the need but the article is very interesting.
    One point to note, I first tried this on my work computer and it didn’t work, I get
    setfacl: ldapot1.txt: Operation not supported

    Then I tried it on my computer and it worked, after searching I found that this depends on the mount and as my home directory at work is mounted using NFS, it doesn’t work there, but then if I go to a NON NFS file system, it works as well !

    1. That’s interesting to know about NFS mounts!

  2. This was an amazingly well-written and informative article. You made what could have been a difficult concept so very easy to understand! It was so impressive, I looked for more articles written by you and noted this was your first one. Hope you continue to write more in the future.

    I use my Linux box as a classic PC (Personal Computer) and so adding users, groups, etc… is not something I look at. But the patient educational style had me glued to the screen the whole time. Ha!

    On a sidenote, when I typed “id gary7”, I received a bit more information:

    uid=1000(gary7) gid=1000(gary7)

    groups=1000(gary7),4(adm),24(cdrom),27(sudo), 30(dip),46(plugdev),116(lpadmin),125(sambashare)

    Do I dare go down the rabbit hole by asking what’s happening in the “groups=…” section:-)? Is it a listing of all groups on the system to which gary7 is tied into?

    1. Thank you. You are correct! The information in the “groups=…” section is indeed a listing of all the groups in the system that the user is a part of.

      Group ID numbers within the range 1000 to 59999 refer to user-made groups and group IDs within the range 100 to 999 refer to system-wide groups. The range is inclusive of start and end values. When a user is a part of a system group, that user can make use of said system feature or device.

      1. Thanks Divya. Appreciated the additional information on user-made and system-wide group IDs!

Leave a Comment

Yeah! You've decided to leave a comment. That's fantastic! Check out our comment policy here. Let's have a personal and meaningful conversation.